Solved: ACS 3.2 limited command authorization problem

shawn.stone · ‎07-21-2004

I am trying to set up a command authorization set that will allow a group to configure and change loopback interfaces, but no other interfaces. Currently, once I allow configure, I cannot limit what interface they can change. It's either complete configure access, or none.

I have set up the command set like this:

-unmatched commands = deny

-permit unmatched arguments is UNCHECKED in both cases

Configure

permit terminal

Interface

permit ^loopback

aaa group server tacacs+ tsg1

server x.x.x.x

!

aaa authentication login default group tacacs+

aaa authentication login vty group tsg1

aaa authentication enable default enable

aaa authorization exec default group tsg1

aaa authorization exec vtyauth group tsg1

aaa authorization commands 0 default group tacacs+

aaa authorization commands 1 default group tacacs+

aaa authorization commands 15 default group tacacs+

aaa session-id common

tacacs-server host x.x.x.x

tacacs-server timeout 20

tacacs-server directed-request

tacacs-server key labrat1

radius-server authorization permit missing Service-Type

Could someone please tell me what I am missing?

gfullage · ‎07-21-2004

"aaa authorization commands ...." works only on commands in exec mode. Once you enter config mode this authorization has no effect and the user will be able to do anything.

Add the following command to also enable authorization for config mode commands:

aaa authorization config-commands

and you should be good to go.

View solution in original post

gfullage · ‎07-21-2004

"aaa authorization commands ...." works only on commands in exec mode. Once you enter config mode this authorization has no effect and the user will be able to do anything.

Add the following command to also enable authorization for config mode commands:

aaa authorization config-commands

and you should be good to go.

shawn.stone · ‎07-22-2004

That did it! Thanks for the help!